All it takes is a few clicks.
Data protection laws have significantly evolved in the last 30 years. As the internet grew and more companies and apps started to collect customer personal information, laws changed to better protect consumers. If this personal information were to get lost or stolen, small business insurance could also help protect businesses.
In 1995, the European Union (EU) enacted the EU Data Protection Directive. It was updated in 2012 with the EU Right to be Forgotten. In 2018, it was later replaced with the implementation of the General Data Protection Regulation (GDPR).
Data protection is not just critical for the general public, but also for small and large businesses. For individuals, it gives them control over what information gets collected and how it’s used. For businesses, complying with data protection laws is essential. Failure to do so can result in fines, penalties and even criminal charges.
For example, lack of GDPR compliance can result in a penalty of 4% of a business’ revenue or 20 million euros, whichever is larger.1
Like in other parts of the world, data privacy laws in the U.S. are also evolving. For example, California passed the California Consumer Privacy Act (CCPA) in 2020. So, it’s important to be aware about data protection rules for small businesses. In some cases, cyber insurance can also help protect businesses if personally identifiable information gets lost or stolen.
What Is GDPR?
The GDPR, or General Data Protection Regulation, is the toughest privacy and security law in the world.2 The rules of GDPR apply to businesses that deal with information and data from people in the EU, regardless of where they’re based. That means if your business is based in the U.S., but has customers in the EU, you’ll have to make sure you’re complying with GDPR requirements.
The GDPR was created as the EU recognized the need for stronger consumer privacy laws as the internet evolved and more businesses developed digital tools. For example, many banks offered online banking in 2000. And more people are using social media, giving these companies a large scale of information. As more businesses used the internet, it meant they also collected personally identifiable information (PII).
More specifically, GDPR applies to:
- Personal data, also known as PII. This information can help identify a person. It includes names, email addresses, location information, ethnicity, gender and biometric data.
- Data processing on the information, whether it’s automatic or manual.
- Data subject, which is the person whose data gets collected.
- Data controller, or the person or organization that decides why and how data gets processed.
- Data processor who processes data and information for the data controller.
Be aware that the GDPR requires extra protection for “special categories of data.” A “special category data” includes:3
- Genetic data
- Biometric data
- Health data
- Sexual orientation data
- Racial or ethnic information
- Political information
- Religious or philosophical beliefs
- Trade union membership
As of 2018, all businesses must comply with the GDPR if they “process the personal data of EU citizens or residents” or if they offer goods or professional services to these residents.4
Be aware that the GDPR also requires businesses to complete a “Data Protection Impact Assessment” when starting a new project that involves a high risk to consumer data. This can include:5
- Using new technology
- Tracking people’s location or behavior
- Processing a special category of data
Completing impact assessments helps businesses understand the scope of the data processing. It can also help business owners determine what protections to have.
If you’re unsure if your business has to comply with GDPR, it’s a good idea to be better safe than sorry. If your business loses sensitive data, you can pay expensive penalties and fines if it turns out you were supposed to comply with the law and didn’t.
GDPR and Small Businesses
It’s important to know that small businesses are not exempt from being GDPR compliant. Whether your business has less than 250 employees or more than 500 employees, GDPR applies if it collects or processes data from customers in the EU.
To help with small business GDPR compliance, you can:6
- Conduct an audit to determine what kind of information your company processes
- Provide clear information about data processing and any legal needs for data collection
- Emphasize data protection through encryption and anonymizing personal data whenever possible
- Create a security policy to build awareness around data protection
- Designate someone in your business to be responsible for GDPR compliance
- Ensure consumers can easily enact their privacy rights
What Is CCPA?
The California Consumer Privacy Act (CCPA) is a privacy law that’s different from GDPR. But similar to GDPR, the CCPA aims to protect consumer data in a specific location. In this case, California.
The CCPA is considered the U.S.’ broadest and most comprehensive consumer privacy and data protection law. It requires businesses to disclose to consumers their privacy practices and what is done with the data collected.
The CCPA includes:7
- The right to know about the personal information that businesses collect from consumers
- How businesses use or share collected data
- The right to delete certain personal info collected from them
- The right to opt out of data collection
The act also provides a right to non-discrimination for consumers that exercise their rights. This means the consumer can’t be denied a product or service or charged a different price.8
CCPA and Small Businesses
The CCPA does not exempt small businesses from its requirements. That means your business must comply with CCPA if it has:
- At least $25 million in annual revenue
- Personal data on at least 50,000 consumers
- At least half of its revenue from the sale of personal data
To help your business comply with CCPA, you can:
- Publish a privacy policy
- Explain to consumers what type of data you collect and how it’s used
- Before you collect data, notify consumers and give them an option to opt out
- Explain their rights under CCPA
- Provide an option to not sell consumer data
Data Protection Best Practices
The GDPR and CCPA are strict privacy laws aimed at protecting consumers. When it comes to small business protection, there are a few data protection best practices that your business can follow to help with compliance. This includes:
- Regularly updating your business’ privacy policy
- Creating a process for consumers to get information stored about them
- Allowing consumers to easily opt out of the sale of their personal or sensitive data
- Reviewing vendor contracts if they receive personal data
- Putting security measures in place to protect data and servers
- Only providing employees who need to use consumer data with access to this information
- Possibly hiring a data protection officer to help with CCPA and GDPR compliance
- Getting data breach insurance in case personally identifiable information gets lost or stolen
What Happens if My Business Is Not Compliant With GDPR and/or CCPA?
If your business isn’t compliant with GDPR or CCPA, then you may face fines, penalties and criminal charges. Fines for non-compliance can start in the thousands per violation. Depending on the situation and size of business, these penalties and fines can reach the millions.
In addition to penalties and fines, your business’ reputation can also be greatly affected after a data breach. That’s why it’s important that your business has data breach insurance as part of its data security plan. Some insurers may call cyber liability insurance. It can help your business respond to data breaches if it loses PII.
Data Protection for Small Businesses in the Future
Data protection laws and regulations won’t go away in the future. In fact, it’s likely that more states will continue to adopt privacy laws similar to the CCPA. Laws around the world can also evolve as countries aim to protect its citizens.
It’s not too late to put data protection practices in place at your business. A good place to start is to get data breach insurance coverage. Then, you can review your business’ operations and determine how it collects, processes and uses consumer data.
Get a data breach insurance quote today and see how we can help your business if the unexpected happens. Whether it’s a breach or you need help with a claim, we’ve got your back.
Last Updated: August 17, 2022
1 GDPR.EU, “Fines”
2 GDPREU.org, “GDPR”
3 GDPR.EU, “Checklist”
4,6 GDPR.EU, “What Is GDPR, the EU’s New Data Protection Law?”
5 GDPR.EU, “Data Protection Impact Assessment Template”
7,8 State of California Department of Justice, “California Consumer Privacy Act (CCPA)”